Microcode update howto

[ozsouth]

Microcode - early loading of latest microcode - vital security. (64 bit works; I've had no luck getting 32 bit to work).

There has been much talk about this vital security update with little 'howto'. I finally got it to work. I got Fatdog's .cpio update (see link below) & put in same folder as initrd.gz (in examples below, is /EFI/boot/puppy). Is for syslinux or grub boot & must edit initrd line. Use at own risk.

For SYSLINUX, have a comma (no spaces) between the 2 entries. For GRUB one space only.

Syslinux example:

initrd puppy/microcode-update-20190514a.cpio,puppy/initrd.gz


Grub example:

initrd /EFI/boot/puppy/microcode-update-20190514a.cpio /EFI/boot/puppy/initrd.gz

NOTE: if you have multiple puppies to boot, put .cpio file in a folder (i.e. micd) & reference that for all.

Get file here: http://distro.ibiblio.org/fatdog/kernel ... 0514a.cpio

[peebee]

Thanks ozsouth........

Would it work if the /lib/firmware/intel-ucode directory
from
http://ftp.uk.debian.org/debian/pool/no ... 1_i386.deb
was present in the fdrv? or is this too late in the boot sequence?

Cheers
peebee

[ozsouth]

Peebee - This seems to be a late-install .deb, so I booted upupbb 18.05 & installed it, made a small save file & rebooted (twice). No effect.
Here's some info I found about late installs:

To update the intel-ucode package to the system, one need:
1. Ensure the existence of /sys/devices/system/cpu/microcode/reload
2. Copy intel-ucode directory to /lib/firmware, overwrite the files in /lib/firmware/intel-ucode/
3. Write the reload interface to 1 to reload the microcode files, e.g. echo 1 > /sys/devices/system/cpu/microcode/reload

Both 32bit pups I tried (slacko-6.3.0 the other) failed at step 1. We need jamesbond to help us.

EDIT: Downloaded iucode-tool .deb, installed in upupbb, made a .cpio file from your intel-ucode. Didn't work.
A hybrid x86_64 kernel in upupbb with fatdog's .cpio above works.

[peebee]

Using the altered initrd command....

On my Celeron based laptop I got indications in dmesg and using PupSysInfo that microcode had been updated and vulnerability mitigation had changed.

However on my Xeon based desktop it indicated that microcode was not found - presumably because it isn't currently in the .cpio file for these cpu's.

Celeron:
# dmesg | grep microcode
microcode: microcode updated early to revision 0x838, date = 2019-04-22

spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
changes to:
spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling

[peebee]

This is the list of updated cpu's

https://support.microsoft.com/en-us/hel ... de-updates

My desktop Xeon cpu is not listed......

CPU(s): 2 Quad core Intel Xeon E5450s

# dmesg | grep microcode
MDS: Vulnerable: Clear CPU buffers attempted, no microcode
microcode: sig=0x1067a, pf=0x40, revision=0xa0b

[ozsouth]

Thanks for the list Peebee. My 9yo i3-2310M & 3yo celeron n3060 make the list. Interestingly, another family member's 6yo Celeron 1000M isn't on the list, but the spec-melt check is all green. In case people think new AMDs are the answer, I got a cheap AMD e2-9000e (was $100 off for a day) - checker all green, but not much faster than my celeron n3060 & had radeon2 video & shutdown issues with 4.19 & 5.x kernels (fatdogs 4.18.12 kernel works well). Also had to compile rtl8821ce wireless driver - getting good source code reminded me of broadcom issues.

[peebee]

Interestingly..........??

the 32-bit .deb has 124 data files

whereas

the 64-bit .deb has just 74.....

This seems to be the repo for the data files which can be watched for updates:

https://github.com/intel/Intel-Linux-Pr ... ntel-ucode

[Marv]

Using the altered initrd command....

On my Celeron based laptop I got indications in dmesg and using PupSysInfo that microcode had been updated and vulnerability mitigation had changed.

However on my Xeon based desktop it indicated that microcode was not found - presumably because it isn't currently in the .cpio file for these cpu's.

Celeron:
# dmesg | grep microcode
microcode: microcode updated early to revision 0x838, date = 2019-04-22

spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
changes to:
spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling

Tested early loading on my second generation i5 laptop (Sandy Bridge, i5-2520M) using the .cpio file and instructions above in the current LxPupSc and LxPupSc64, both running Kernel Release 5.1.8-lxpup64.

Grub4Dos install, the relevant menu entry line for LxPupSc64 as an example:
initrd /LxPupSc64b/microcode-update-20190514a.cpio /LxPupSc64b/initrd.gz

In both pups, dmesg shows:
# dmesg | grep microcode
microcode: microcode updated early to revision 0x2f, date = 2019-02-17

and mitigation changes from:
l1tf:Mitigation: PTE Inversion
mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
meltdown:Mitigation: PTI
spec_store_bypass:Vulnerable
spectre_v1:Mitigation: __user pointer sanitization
spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
to:
l1tf:Mitigation: PTE Inversion
mds:Mitigation: Clear CPU buffers; SMT vulnerable
meltdown:Mitigation: PTI
spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
spectre_v1:Mitigation: __user pointer sanitization
spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling

I've had no success with late loading on the above hardware and pups. Checking dmesg there, the update occurs but must be too late. Mitigation is unchanged. Thus this is a step forward for me.

Thanks all,

[ozsouth]

Marv - I found that only one instance of the .cpio file is allowed.
Make a microcode folder (mine is micd) at the same level as your LxPupSc64b, put the .cpio file there only, & change your initrd line to:
/micd/microcode-update-20190514a.cpio /LxPupSc64b/initrd.gz & reboot. Ditto any other Pups using the same bootloader.
If that fails, try using a comma between entries, no spaces. (I used grub2 & syslinux in my tests).

[Marv]

Marv - I found that only one instance of the .cpio file works.
Make a microcode folder (mine is micd) at the same level as your LxPupSc64b, put the .cpio file there only, & change your initrd line to:
/micd/microcode-update-20190514a.cpio /LxPupScb/initrd.gz & reboot. Ditto any other Pups using the same bootloader.
If that fails, try using a comma between entries, no spaces. (I used grub2 & syslinux in my tests).

Thanks, that's kind of the next step. I'd like to get it working for upupdd but for now the stock kernel for that isn't configured to do early loading so I'm going to fiddle with that first. I share SFS and profiles with all the pups in the kennel so I definitely see the advantage of that approach both from a space and maintenance standpoint.

Update: Did a kernel swap into upupdd for now. Early loading and mitigation working there now and the shared microcode folder is working correctly on all 3 pups. I'll play more later with that kernel.

Monday June 17 update: All above also holds for peebees 5.1.11 kernel.

[peebee]

New release:

https://github.com/intel/Intel-Linux-Pr ... e-20190918

[ozsouth]

I've made a 64bit .cpio 18-Sep-2019 microcode update file. Attempts to make 32bit file failed (64bit x86_64 kernel works if 64bit cpu).
SUPERSEDED.

[peebee]

New release:

microcode-20191112 release

The following files have changed in microcode-20191112 since microcode-20190918:
New Platforms
Processor Model Stepping Family Code Model Number Stepping Id Platform Id Old Version New Version Products
AVN B0/C0 6 4d 8 01 0000012D Atom C2xxx
CML-U62 A0 6 a6 0 80 000000c6 Core Gen10 Mobile
CNL-U D0 6 66 3 80 0000002a Core Gen8 Mobile
SKX-SP B1 6 55 3 97 01000151 Xeon Scalable
GKL B0 6 7a 1 01 00000032 Pentium J5005/N5000, Celeron J4005/J4105/N4000/N4100
GKL-R R0 6 7a 8 01 00000016 Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
ICL U/Y D1 6 7e 5 80 00000046 Core Gen10 Mobile
Updated Platforms
Processor Model Stepping Family Code Model Number Stepping Id Platform Id Old Version New Version Products
SKL U/Y D0 6 4e 3 c0 000000cc 000000d4 Core Gen6 Mobile
SKX-SP H0/M0/U0 6 55 4 b7 02000064 00000065 Xeon Scalable
SKX-D M1 6 55 4 b7 02000064 00000065 Xeon D-21xx
CLX-SP B0 6 55 6 bf 0400002b 0400002c Xeon Scalable Gen2
CLX-SP B1 6 55 7 bf 0500002b 0500002c Xeon Scalable Gen2
SKL H/S/E3 R0/N0 6 5e 3 36 000000cc 000000d4 Core Gen6
AML-Y22 H0 6 8e 9 10 000000b4 000000c6 Core Gen8 Mobile
KBL-U/Y H0 6 8e 9 c0 000000b4 000000c6 Core Gen7 Mobile
CFL-U43e D0 6 8e a c0 000000b4 000000c6 Core Gen8 Mobile
WHL-U W0 6 8e b d0 000000b8 000000c6 Core Gen8 Mobile
AML-Y V0 6 8e c 94 000000b8 000000c6 Core Gen10 Mobile
CML-U42 V0 6 8e c 94 000000b8 000000c6 Core Gen10 Mobile
WHL-U V0 6 8e c 94 000000b8 000000c6 Core Gen8 Mobile
KBL-G/X H0 6 9e 9 2a 000000b4 000000c6 Core Gen7/Gen8
KBL-H/S/E3 B0 6 9e 9 2a 000000b4 000000c6 Core Gen7; Xeon E3 v6
CFL-H/S/E3 U0 6 9e a 22 000000b4 000000c6 Core Gen8 Desktop, Mobile, Xeon E
CFL-S B0 6 9e b 02 000000b4 000000c6 Core Gen8
CFL-H R0 6 9e d 22 000000b8 000000c6 Core Gen9 Mobile

For updated Specification Update documents, please visit Intel Resource & Design Center.
—

[ozsouth]

I've made a 64bit .cpio 12-Nov-2019 microcode update file. Have had no success making 32bit files (64bit x86_64 kernel works if 64bit cpu).
** Superseded - see 2 posts down **

[peebee]

microcode-20191113 release

Processor Model Stepping Family Code Model Number Stepping Id Platform Id Old Version New Version Products
CFL-S P0 6 9e c 22 000000a4 000000c6 Core Gen9 Desktop

NOTE: This microcode was previously incorrectly listed as both CFL-S (Desktop) and CFL-H (Mobile) and was removed from the 20191112 release. This processor is now correctly listed as CFL-S (Desktop) only.

[ozsouth]

I've made a 64bit .cpio 13-Nov-2019 microcode update file. Have had no success making 32bit files (64bit x86_64 kernel works if 64bit cpu).
** Superseded - see below.

[backi]

Fine !! .....but I am just a Newbie .......How to use it ????

Thanks in Advance !

[belham2]

Fine !! .....but I am just a Newbie .......How to use it ????

Thanks in Advance !

But I'm just a newbie?

Yup, and I'm just a very young man trapped in a very, very, VERY old body.

Backi Backi, Backi.....calling Backi---please come back from that hand-holding Ddog world.

A cpio file, iirc, can be used for:

1) Copying files (to an archive)
2) Extracting (from an archive)
3) Passing files (to another directory tree)

Maybe we might put or extract whatever (the pup we're using) pup's initrd into a directory (cat ../initrd | cpio -i -d -m), then copy the .cpio file into it that extracted initrd directory, and then re-close the directory back up (find . | cpio -o -H newc > ../initrd) to make our pup's initrd again.

After that, we'll now have the microcode update (and thanks, Ozsouth!!)

But don't quote me, I'm too just a newbie here

[backi]

Hi Belham !
Nice to meet you.......again .
You make yourself quite scarce here in the last time .

Thanks for Support .......but i suppose it will anyway not apply to me since i am on Bionic Dog or other Dogs mostly .
Seems an Upgrade did the Trick .....not quite sure .

Nevertheless ......
Best wishes out of the " Coming Dystopistan " aka " New Shitholistan ".....formerly known as " Merry old Germany " !

[ozsouth]

See the first posts in this thread - hopefully explains usage. (@belham2 - it's fortuantely much simpler than you'd think).